Forma LMS is a popular open-source Learning Management System (LMS) used by many organizations to manage their e-learning programs. In the 3.1. version and earlier of Forma LMS, a critical SQL Injection vulnerability has been discovered, and it has been assigned the CVE identifier CVE-2022-42923. An attacker, if authenticated as a student in the system, could exploit this vulnerability to dump the entire database or delete all contents from the 'core_user_file' table.

This post will discuss the details of the vulnerability, provide code snippets, and link to original references for further information. If you are using the Forma LMS, it is crucial to be aware of this vulnerability so you can take the necessary steps to protect your system.

The following code snippet exhibits the vulnerable code in the Forma LMS version 3.1. and earlier

// appCore/index.php

if (isset($_GET['r'])) {
    $r = $_GET['r'];
} else {
    $r = false;
}

// ...

if ($r) {
    list($s_mod, $s_op) = explode("/", $r);
    if (in_array($s_mod, $mods)) {
        include(_base_ . "/appCore/controllers/" . $s_mod . ".php");
        if (function_exists('dispatch_' . $s_op)) {
            $func = 'dispatch_' .$s_op;
            $func();
        }
    }
}

Exploit Details

The vulnerability is present in the 'appCore/index.php' file, specifically in the 'r' parameter. When a request with the 'r=adm/mediagallery/delete' value is processed, the 'id' parameter is directly used in an SQL query without proper sanitization or validation. This allows an attacker to inject malicious SQL code into the query and perform unauthorized actions on the database.

To exploit this vulnerability, an attacker would need to have an authenticated student account on the LMS. The attacker could then send a request to the application with the 'r' parameter set to 'adm/mediagallery/delete' and the 'id' parameter set to their crafted SQL code.

For instance, an attacker could use the following request to dump the entire database

http://example.com/appCore/index.php?r=adm/mediagallery/delete&id=1 UNION SELECT table_name, username, email, password FROM information_schema.tables, core_user -- -

Alternatively, to delete all contents from the 'core_user_file' table, the attacker could use this request:

http://example.com/appCore/index.php?r=adm/mediagallery/delete&id=1; DELETE FROM core_user_file; -- -

Original References

- Official Forma LMS Repository: https://github.com/formalms/forma.lms
- The original disclosure of the vulnerability: https://security-tracker.debian.org/tracker/CVE-2022-42923

Mitigation

The developers of Forma LMS have been informed about this vulnerability. If you are using Forma LMS 3.1. or earlier, we highly recommend updating your installation to the latest version as soon as a patch becomes available. In the meantime, you can protect your system by adding proper input validation and sanitization to the 'id' parameter in the 'appCore/index.php' file or limiting the privileges of student accounts in the database.

In conclusion, it is essential to be aware of the CVE-2022-42923 vulnerability in Forma LMS 3.1. and earlier versions. With the right knowledge and understanding of the issue, you can take the necessary steps to protect your system and the valuable data it contains.

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 20:06:00 UTC